The Image Spammer’s New Bag of Tricks

Senders of unsolicited electronic messages, also known as spammers, are deploying a new generation of image spam to outsmart e-mail filters and other technologies designed to thwart them.

They’re cutting corners by linking their spam message to a photo from a popular image-hosting site, instead of sending it as an e-mail attachment. This technique could significantly optimize image spam volume, according to Secure Computing’s TrustedSource Labs.

Image spam surfaced last year, when scam artists switched from simple text ads to messages embedded in images. Over the course of the year, image spam has gone through many iterations that have made it more difficult to detect.

“[The latest technique] involves hosting messages as links to popular photo sites,” Dmitri Alperovich, principal research analyst for TrustedSource Labs, told the E-Commerce Times. “It is harder to block these links or pull images — even with black listing — because it causes false positives.”

Smaller Size, Larger Volume

The first generation of image spam consisted of bulky message files, as the graphics containing the spam text message were larger than plain text, Alperovich explained. The increased file size meant spammers could send fewer messages.

Image spam consumes more bandwidth, requiring two to three times more storage space. That means higher costs, Doug Bowers, senior director of anti-abuse engineering on image spam threats for Symantec, told the E-Commerce Times.

The latest generation of image spam reduces the size of e-mail messages, allowing spammers to churn out higher volumes. That makes it easier for them to amass a global army of zombies, or infected computers.

“All spammers need is a link to pull images to the end user’s screen,” said TrustedSource’s Alperovich. “HTML code makes the spammed image delivery automatic.”

Picturing Image Spam

Computer security firms have been developing strategies to combat image spam ever since it surfaced. The goal of the image spammers, of course, is to bypass scanning engines traditionally used to detect intrusive content.

Despite improvements in detection methods, image spam continues to be a large threat, accounting for 48 percent of all spam, according to Bowers.

“Spammers are having some success with the new tricks and will not stop using them until they see a consistent ability exists to block them,” he said. Their end goal is to make money, and they’re highly motivated.

Spammers are running their operations via legitimate sites without the site owners’ knowledge. There is no simple way for these hapless hosts to deal with the image-spamming tricks, Bowers noted.

Stopping the Picture

One organization that has found some success in fighting image spam is Barracuda Networks. Its Barracuda Spam Firewall uses an arsenal of image-analysis techniques to block those containing spam. The detection process entails optical character recognition on pictures.

“We use a worldwide deployment of binary signature of message components,” Stephen Pao, vice president of product management for Barracuda Networks, told the E-Commerce Times. “We have over 40,000 customers providing spam samples received from spammers in over 80 countries.”

Part of that blocking process is being able to recognize the bad guys by the messages they send from familiar Web page addresses, or URLs. Barracuda products can recognize the spam pattern from the way it was sent, he explained.

Secure Computing takes a different approach by looking at where the message is coming from, Alperovich said.

“Over 90 percent of image spam comes from zombies. We can block malicious senders using our TrustedSource methods. We have no problem blocking these new tricks,” he added.

The TrustedSource product is primarily for an enterprise customer base and mail gateways, Alperovich noted. Secure Computing also has a toolbox product available as a free download.

Newest Methods

Barracuda Networks is developing a new approach to blocking image spam: Predictive Sender Profiling closes a gap in detection success that occurs as spammers continue to adapt their own technologies and strategies.

As time goes on, reputation analysis diminishes in efficacy. Spammers engage in identity obfuscation through a broad mix of techniques designed specifically to bypass filters. Reputation analysis has become a baseline, Barracuda’s Pao explained, and more sophisticated spam-filtering techniques are needed.

Predictive Sender Profiling examines bad sender behavior. Some examples of blatant spam signs it can spot: e-mail campaigns with rotating sender Internet protocol addresses; masked Uniform Resource Identifier reputations within locations; and the use of free Internet services to redirect to known spammer domains.

Image spammers also may expose themselves by sending mass e-mails on the same day they register a new domain, or by sending e-mail campaigns that direct to the same spammer data center. Image spammers also blast e-mails to many invalid recipients.

What’s Next?

Secure Computing’s Alperovich disagrees with the view that reputation analysis is becoming less efficient — he sees it as playing a key role in combating image spam.

“There are so many spam methods nowadays that vendors can’t release new signatures to keep up,” he said.

One of those new methods, noted Barracuda’s Pao, is a ploy designed to trick image-fingerprinting technology. Spammers add random dots to their image spam in an effort to fool signature recognition scanners. Barracuda is able to defeat this trick and find the image spam through multiple scanning passes, he said.

Lasting Problem

Image spam is high on the list of schemes to track, but it is not the only new trick, noted Symantec’s Bowers. “The common thread is the spammers’ desire to make money. Any combination of spam tricks is at play.”

It’s a cat-and-mouse game between security and spammers, and it’s likely to continue for some time.

“I never will say the war is over,” admitted Barracuda’s Pao, “but certainly one of the battles that is being waged is under control.”

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

1 Comment

  • A new spam filter from the Netherlands is capable of detecting this kind of URL spam: Caretaker Antispam. Caretaker follows the link, downloads the image from the image hosting site and detects the bad words. The Caretaker site is still in Dutch only but the filter works ace! No need to train it, works right out of the box.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels